The same year the Privacy Act was enacted, American technology company Intel introduced its first Pentium microprocessor as the microchip-of-choice for the manufacturing of personal computers. The original Pentium contained 3.1 million transistors. Two years later it was surpassed by the Pentium Pro with its 5.5 million transistors. (The latest iPhone has 4.3 billion transistors.)
What does this mean? Let’s look at the company Intel. Intel makes microprocessors for computer systems companies like Apple, Lenovo, HP and Dell. These microprocessors have been driving an information technology revolution – with computers increasing in speed and portability.
In 1965, computer scientist Gordon Moore made the observation that the number of computing power appeared to double every two years in what has become known as Moore’s Law. Let’s relate that to privacy. In the 25 years since the Privacy Act was enacted, computing power has grown exponentially by roughly the power of 12.
When the Privacy Act became law, the World Wide Web and the internet were in their infancy. We didn’t have portable pocket computers which collected extraordinary amounts of personal information, including our location, conversations and shopping habits. We didn’t have email and there was no Facebook. Back then, data breaches were harder to cause and easier to contain. This was the era that I started working in informational privacy law.
Since then, our Privacy Act has withstood substantial challenges by providing a workable framework for addressing existing and emerging privacy issues. It is a tribute to the lawmakers of the time that this technology-neutral legislation, with a principle-based approach, has proved so durable.
However, the scale of digital information being created, collected, transferred, shared and disclosed is now off any chart conceived in 1993. Over four billion people use the internet today. Over three billion people use social media – something that wasn’t a thing until 2004 with Bebo, MySpace and, subsequently, Facebook (anyone remember ICQ?). By one estimate, we produce 2.5 quintillion bytes of data every day – and that’s with the Internet of Things yet to get into a full stride.
This is a dramatically different environment than the one in which I began my professional career. Back then, I could name the other privacy lawyers on one hand. A common privacy concern was the amount of information about citizens being collected and stored by law enforcement agencies. It was a legacy of the anti-establishment 1960s and 1970s when people were increasingly concerned about privacy against a backdrop of the anti-Vietnam war protests, Cold War anxieties, and large mainframe databanks.
Informational privacy is much more than a single issue in New Zealand today. The latest results in our biennial tracking survey show that people are more concerned about privacy issues. While trust in government has improved, increasingly it has become the collection of personal information by business that is cause for concern, among other things. New Zealanders are also deeply concerned about the amount of information children post about themselves on social media and the privacy threats posed by drones and surveillance cameras.
While the privacy concerns of the 1990s have grown and diversified into a multitude of challenges, it’s an encouraging sign there’s been an even further awakening in this digital age of privacy awareness among the public and organisations that hold their information.
A big part of this has been driven by the meteoric emergence of Silicon Valley technology companies. Individually, many of these global companies are now valued at sums greater than the GDP of most nation states. Facebook has a market valuation of over three times New Zealand’s GDP. It handles the personal information of nearly half of the New Zealand population. Also in the digital jungle are Google, Yahoo, Amazon, Twitter, Snapchat, Trivago, Uber and others.
This year, in response to a complaint my Office was investigating, Facebook refused to engage with my office and comply with our Privacy Act. We notified the New Zealand public that Facebook was a non-compliant agency. Under the current Act, it was all I could do. The big question today for privacy regulators and the public to grapple with is how to change this power imbalance, to give individuals greater control over their personal information.
In the international data protection and privacy meetings that New Zealand participates in, what’s emerging is a consensus for cooperation. Privacy regulators are showing a willingness to share information and work together. Data flows across borders, and in the Ashley Madison breach, we saw a cooperative enforcement effort between American, Canadian and Australian regulators to investigate.
We will continue to need adaptable international and domestic frameworks for dealing with privacy issues. We’ve seen that technology changes very quickly and privacy regulators need the most updated enforcement tools to keep pace. There’s been an upscaling of privacy protection frameworks in many of the OECD countries that New Zealand compares itself against. As we look to modernise our Privacy Act, changes have already been made in Australia, Singapore, United Kingdom, Canada, and the European Union.
In Europe, the General Data Protection Regulation which took effect in May gives consumers more rights and EU regulators more powers. Data portability, rights of erasure, mandatory data breach notification and significant fines for non-compliant organisations are some of the tools we’re arguing should be included in the Privacy Bill currently before the New Zealand Parliament.
This cursory stocktake reveals the breathtaking scope and pace of change of the past 25 years. The next 25 years will also present us with new privacy threats, opportunities and challenges. Some of these will be predictable and others unforeseen. A modern and up-to-date Privacy Act is necessary to give New Zealanders greater control over their information and to afford more robust privacy protections. Imagine how we’d feel if those first Pentium microprocessors had remained unchanged.
This article was originally published in the 2018 September/October edition of iappANZ’s Privacy Unbound. Find a full list of the Privacy Unbound archives here.
If you want to comment on this post, you need to login.